You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Vahid Hashemian (JIRA)" <ji...@apache.org> on 2017/05/26 23:45:04 UTC

[jira] [Created] (KAFKA-5336) The required ACL permission for ListGroup is invalid

Vahid Hashemian created KAFKA-5336:
--------------------------------------

             Summary: The required ACL permission for ListGroup is invalid
                 Key: KAFKA-5336
                 URL: https://issues.apache.org/jira/browse/KAFKA-5336
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 0.10.2.1
            Reporter: Vahid Hashemian
            Assignee: Vahid Hashemian
            Priority: Minor


The {{ListGroup}} API authorizes requests with _Describe_ access to the cluster resource:

{code}
  def handleListGroupsRequest(request: RequestChannel.Request) {
    if (!authorize(request.session, Describe, Resource.ClusterResource)) {
      sendResponseMaybeThrottle(request, requestThrottleMs =>
        ListGroupsResponse.fromError(requestThrottleMs, Errors.CLUSTER_AUTHORIZATION_FAILED))
    } else {
      ...
{code}

 However, the list of operations (or permissions) allowed for the cluster resource does not include _Describe_:
{code}
  val ResourceTypeToValidOperations = Map[ResourceType, Set[Operation]] (
    ...
    Cluster -> Set(Create, ClusterAction, DescribeConfigs, AlterConfigs, IdempotentWrite, All),
    ...
  )
{code}

Only a user with _All_ cluster permission can successfully call the {{ListGroup}} API. No other permission (not even any combination that does not include _All_) would let user use this API.

The bug could be as simple as a typo in the API handler. Though it's not obvious what actual permission was meant to be used there (perhaps _DescribeConfigs_?)



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)